Www.2cto.com
------- Record Try2.org vulnerability Mining Process
Today, I have nothing to worry about. I accidentally talked to Bluephantom, the webmaster of the try2 lab, about security. Bluephantom said it was able to exploit the vulnerability on the try2 website. Please have dinner with Bluephantom. I was excited when I mentioned it, but I have also learned about the security of www.try2.org written by Bluephantom. I have filtered out a lot of things. Can I do it?
With a try, I scanned Try2.org with X-Scan. (Figure 1)
Figure 1
I used X-Scan for scanning, and only one result was found to interest me ------- HTTP TRACE cross-site attack .. I couldn't help but suck the air. Is it a false positive of X-Scan? Or does www.Try2.org really have the so-called cross-site vulnerability? (Figure 2)
Figure 2
Try2 and org programs are written by Bluephantom. They are open-source and open-source. After reading the source code, all variables are enclosed in quotation marks and the quotation marks are filtered out. In common sense, how can this problem be completed? But I believe in only one. There are no absolutely secure programs.
Speaking of this, I have to admire the filtering made by Bluephantom. the commonly used "'" number has long lost its meaning on the try2.org site. (Figure 3)
Figure 3
Since we are cross-site, how can we cross it? Let's construct a cross-site statement first!
<Iframe src = "http://www.baidu.com/" width = "800" height = "160" frameborder = "0"> </iframe>
Of course, it contains the Escape Character of http, which is the so-called space. Submit this statement at www. Try2.Org's search. (Figure 4)
Figure 4
Obviously, the quotation marks are filtered out as Bluephantom said, and it is impossible to complete the quotation marks. And all Html are escaped, that is, <> will become <& gt; and so on... But I also see that the submitted code becomes
<Iframe src = \ "http://www.baidu.com/\" width = \ "800 \" height = \ "160 \" frameborder = \ "0 \"> </iframe>
Such format .... Here, I am very impressed with bs. inserting the "\" number in front of the quotation marks causes cross-site failure. However, is it impossible to cross-site? I'm not discouraged...
Smoke smoke, drink saliva... Continue .........
I found that basically all the url structures of try2 are...
Http://www.try2.org/index.php? Act = viewer & a... xx & tree = yes
Act = viewer .. Module = tools page? The typeid = and id = at the end of the page should be the page for viewing the content. The last tree is yes or no. I am not sure about the function of this tree.
The following two queries are displayed: typeid = and id =.
Hey, sorry. See the URL of this page at the bottom of the article title.
Http://www.try2.org/index. Php? Act = viewer... ools & id = xxx
Is this the address of the article? (Figure 5)
Figure 5
It can be seen from this that it seems that the url is submitted and is returned to the address. That is to say, if we give the statement "id =" to the query variable, will the query be successful across sites?
Http://www.try2.org/index.php? Act = viewer & a... t; & tree = yes submit. (Figure 6)
Figure 6
I'm dizzy. I guess that's right. Yes, but it is filtered. In this case, Bluephantom began to become lazy when developing this program. Submitting is committed, and the response is a response, but it is filtered out. This is a convenient way.
I wrote it here and lamented for try2.org that since Bluephantom had discovered this vulnerability, why didn't it solve it better? Is double quotation marks restricted? For the moment, BS .... Getting depressed .... Considering whether to give up.
Smoke ing
The baidu search code html code was accidentally found at random... Why? Isn't this a query dialog box and button? No quotation marks. Well, it's good.
I immediately simplified the code and constructed a button.
<Form action = http://www.baidu.com/baidu method = get> <input type = text name = word> <input type = submit value = baidu> </form>
Write it into the constructed url.
Http://www.try2.org/index.php? Act = viewer & a... t; & tree = yes
Quick test (Figure 7)
Figure 7
It succeeded. Test it now. It can be used in a new window. But soon I found a new problem. Isn't it from this page? Why can't I get the program on this page?
After a short period of happiness, I fell into a depressed state again... Smoke more...
Dizzy, it turned out that I was stupid. In the url I constructed, can't I add something after action =? Hahaha, let's see how cookies are like?
When I was excited, I submitted the url.
Http: // wwwtry2org/index. php? Act = viewer &... & id = & tree = yes
Once again, why is this code not running? (Figure 8)
Figure 8
After reading the url, I realized that I had made a low-level error. Ah ..
Originally, submit this
Http://www.try2.org/index.php? Act = viewer & a... & id = & tree = yes
In the url, the quotation marks are filtered again. After the page is run
Http://www.try2.org/index.php? Act = viewer & a... & id = Such an address. Okay, remove the quotation marks, remove the text box, and submit again.
Http://www.try2.org/index.php? Act = viewer &... m action = java script: alert (document. cookie) method = get> <input type = submit value = baidu> </form> & tree = yes
When a button appears, I can't wait to press it. Haha, I got cookies... (Figure 9)
Figure 9
I was so excited for a long time that I finally got dumb. It seems that this does not play a major role. In addition, the session can only be forged when the Administrator logs on. Besides, the background written by Bluephantom still uses cookies for background login, Which is depressing and smoking ...... When I was worried about how to quit smoking, we compared the two cross-site codes.
One is a button, and the other is in the Framework.
Suddenly I found another low-level mistake.
<Iframe src = "http://www.baidu.com/" width = "800" height = "160" frameborder = "0"> </iframe>
I can remove double quotation marks from this url.
<Iframe src = http://www.baidu.com/width = 800 height = 160 frameborder = 0> </iframe>
OK, and then construct the url.
Http://www.try2.org/index.php? Act = viewer & a... t; & tree = yes
Test,
Haha, I finally saw the long-overdue baidu. (Figure 10)
Figure 10
Wow, I finally got it done. I don't need to talk about it next? Hahahaha.
At this point, it seems a bit of joy after success. After all, the program is written by people, and the vulnerability is indispensable. When the vulnerability exists, the software will be continuously strengthened and upgraded, it seems that Bluephantom must have invited me to dinner. Try2.org will soon release corresponding patches.
Finally, everyone will come to try2 to report a name and ask Bluephantom to have dinner.
By zf
